| | | | | | | | |
|
| | Log Name | Event Type | Category | Generated On | User | Source | Description
|
| | Application | Error | None | 2020-03-18 10:09:59 | | VSS | 13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
|
| | Application | Error | None | 2020-03-18 10:09:59 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 14856 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<14856 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 10:09:59 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 15004 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<15004 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 10:15:51 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 378833 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<378833 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 10:15:52 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 379637 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<379637 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Warning | 3 | 2020-03-18 10:17:03 | | Windows Search Service | 3086: The system locale has changed. Existing data will be deleted and the index must be recreated. Context: Application, SystemIndex Catalog
|
| | Application | Error | None | 2020-03-18 10:18:53 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 171374 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<171374 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Warning | 3 | 2020-03-18 10:20:32 | | Windows Search Service | 3086: The system locale has changed. Existing data will be deleted and the index must be recreated. Context: Application, SystemIndex Catalog
|
| | Application | Error | 1 | 2020-03-18 10:24:22 | | ESENT | 522: StartMenuExperienceHost (5764,P,98) TILEREPOSITORYS-1-5-21-4230960370-218822903-690480705-1002: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).
|
| | Application | Error | 3 | 2020-03-18 10:24:22 | | ESENT | 455: StartMenuExperienceHost (5764,R,98) TILEREPOSITORYS-1-5-21-4230960370-218822903-690480705-1002: Error -1023 (0xfffffc01) occurred while opening logfile C:\Users\redblue\AppData\Local\TileDataLayer\Database\EDB.log.
|
| | Application | Error | None | 2020-03-18 10:35:44 | | COM | 10031: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {F6C29334-47DC-4397-9150-F549CF1D4861} was rejected
|
| | Application | Error | None | 2020-03-18 10:37:30 | | Microsoft Office 16 | 2011: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {A55672FD-87FF-4F06-BCBB-A3CE5816A1B8}
|
| | Application | Error | None | 2020-03-18 10:38:41 | SYSTEM | CertEnroll | 87: SCEP Certificate enrollment for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: PkiStatus(11): SCEPDispositionPendingChallenge EnrollStatus(32): EnrollUnknown The operation completed successfully. 0x0 (WIN32: 0) SubmitDone Submit(Request): OK HTTP/1.1 200 OK Cache-Control: no-cache Date: Wed, 18 Mar 2020 02:37:31 GMT Pragma: no-cache Content-Length: 9325 Content-Type: application/x-pki-message Expires: -1 x-ms-request-id: 2898193f-d686-4a2b-9cea-291e9b66813a Strict-Transport-Security: max-age=31536000;includeSubDomains X-Content-Type-Options: nosniff Method: POST(95406ms) Stage: SubmitDone The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
|
| | Application | Error | None | 2020-03-18 10:44:57 | SYSTEM | Microsoft-Windows-Perflib | 1020: The required buffer size is greater than the buffer size passed to the Collect function of the "C:\Windows\System32\perfts.dll" Extensible Counter DLL for the "LSM" service. The given buffer size was 20768 and the required size was 35064.
|
| | Application | Warning | None | 2020-03-18 10:48:05 | SYSTEM | Microsoft-Windows-RestartManager | 10010: Application 'C:\Program Files (x86)\LG Software\LG Control Center\LGControlCenterRTManager.exe' (pid 9044) cannot be restarted - 1.
|
| | Application | Warning | None | 2020-03-18 10:48:05 | SYSTEM | Microsoft-Windows-RestartManager | 10010: Application 'C:\Program Files\WindowsApps\22094SynapticsIncorporate.SmartAudio2_1.1.51.0_x86__qt57b6kdvhcfw\SAII\SmartAudio.exe' (pid 8952) cannot be restarted - 1.
|
| | Application | Warning | None | 2020-03-18 10:48:05 | SYSTEM | Microsoft-Windows-RestartManager | 10010: Application 'C:\Program Files (x86)\LG Software\LG Update Center\LGUpdateCenter.exe' (pid 6352) cannot be restarted - 1.
|
| | Application | Warning | None | 2020-03-18 10:48:05 | SYSTEM | Microsoft-Windows-RestartManager | 10010: Application 'C:\Program Files (x86)\LG Software\LG Update Center\LG Update Center.exe' (pid 11304) cannot be restarted - 1.
|
| | Application | Error | None | 2020-03-18 10:58:59 | | SideBySide | 33: Activation context generation failed for "C:\Users\redblue\AppData\Roaming\Tencent\TIM\STemp\TXQQ2052~0\SysDir\Check\atl2_c.dll". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053" could not be found. Please use sxstrace.exe for detailed diagnosis.
|
| | Application | Error | None | 2020-03-18 11:05:14 | | VSS | 13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
|
| | Application | Error | None | 2020-03-18 11:05:14 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 2769613 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<2769613 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:05:15 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 2770520 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<2770520 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:06:21 | SYSTEM | CertEnroll | 86: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: GetCACaps Method: GET(32ms) Stage: GetCACaps The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
|
| | Application | Error | None | 2020-03-18 11:06:22 | SYSTEM | CertEnroll | 86: SCEP Certificate enrollment initialization for WORKGROUP\DESKTOP-UT5JEJD$ via https://INTC-KeyId-e7083f22152a7492ec59b0c4243437648b15dbb7.microsoftaik.azure.net/templates/Aik/scep failed: GetCACaps Method: GET(16ms) Stage: GetCACaps The server name or address could not be resolved 0x80072ee7 (WinHttp: 12007 ERROR_WINHTTP_NAME_NOT_RESOLVED)
|
| | Application | Error | None | 2020-03-18 11:10:56 | | VSS | 13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
|
| | Application | Error | None | 2020-03-18 11:10:56 | | VSS | 8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
|
| | Application | Error | None | 2020-03-18 11:10:56 | | VSS | 13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
|
| | Application | Error | None | 2020-03-18 11:10:56 | | VSS | 8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
|
| | Application | Error | None | 2020-03-18 11:10:56 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 332387 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<332387 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:10:57 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 333054 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<333054 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:30:55 | | SideBySide | 33: Activation context generation failed for "C:\Users\redblue\Downloads\PAGreen\PA_Green\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
|
| | Application | Error | None | 2020-03-18 11:30:56 | | SideBySide | 33: Activation context generation failed for "C:\Users\redblue\Downloads\PAGreen\PA_Green\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
|
| | Application | Error | None | 2020-03-18 11:38:01 | | VSS | 13: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress. ] ?
|
| | Application | Error | None | 2020-03-18 11:38:01 | | VSS | 8193: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x8007045b, A system shutdown is in progress. . ?
|
| | Application | Error | None | 2020-03-18 11:38:01 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1499163 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1499163 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:38:02 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1499972 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1499972 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:56:29 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 1096367 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<1096367 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Error | None | 2020-03-18 11:57:36 | LOCAL SERVICE | DPTF | 17: ESIF(8.6.10401.9906) TYPE: ERROR MODULE: ACTION FUNC: EsifActWriteLogHandler FILE: esif_uf_action.c LINE: 789 TIME: 55076 ms UPE_WIFI:[WifiDev_SvcNotifyCb@wifi_dev.c#599]<55076 ms>: Error: dwNotificationStatus = 1115
|
| | Application | Warning | None | 2020-03-18 11:57:36 | | Wlclntfy | 6004: The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.
|
| | Application | Error | None | 2020-03-18 13:10:37 | | Service1 | 0: Failed in handling the PowerEvent. The error that occurred was: System.NullReferenceException: Object reference not set to an instance of an object. at DeviceManager.Service1.OnPowerEvent(PowerBroadcastStatus powerStatus) at System.ServiceProcess.ServiceBase.DeferredPowerEvent(Int32 eventType, IntPtr eventData).
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:42 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:42 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:42 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19c New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:42 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-16 16:38:42 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: ??????????????-??6??c????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:52 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x20c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12292 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10c94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10cb9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b49a Linked Logon ID: 0x1b4bc Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b4bc Linked Logon ID: 0x1b49a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x334 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b49a Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1b4bc Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: ??????????????-??6??c????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x19c Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x20c Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x318 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: ????????????????-??6??8????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x358 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10b0e
|
| | Security | Audit Success | 13826 | 2020-03-16 16:38:53 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6f8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2020-03-16 16:38:54 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-16 16:38:59 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x10ec Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x7a0 Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xeb8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:00 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1808 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd00 Linked Logon ID: 0x5fd64 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: WIN-T5SAB95QOPJ Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd64 Linked Logon ID: 0x5fd00 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: WIN-T5SAB95QOPJ Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x5fd00 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-ABPHKLO Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x984 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xeb8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:03 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x3ec Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x3ac Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x3c0 Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_8c225bc560faa67e.cdf-ms Handle ID: 0x38c Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_definition_updates_d3c2d4757cf0b9a3.cdf-ms Handle ID: 0x410 Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_defender_definition_updates_default_44e57bb5c1e3d0e8.cdf-ms Handle ID: 0x43c Process Information: Process ID: 0x1798 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-16 16:39:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c78 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x15a4 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-16 16:39:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x15a4 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-16 16:39:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-T5SAB95QOPJ$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-16 16:39:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:46 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:46 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:46 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 10:09:46 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:54 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x228 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x274 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c8 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x274 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x318 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x338 New Process Name: ????????????????-??6??8????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c8 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 101 | 2020-03-18 10:09:56 | | Microsoft-Windows-Eventlog | 1101: Audit events have been dropped by the transport. 0
|
| | Security | Audit Success | 12288 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x11cfb Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x11d03 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x194e0 Linked Logon ID: 0x19509 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x19509 Linked Logon ID: 0x194e0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x338 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x194e0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x19509 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x364 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x11b84
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12290 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Process Information: Process ID: 5412 Process Creation Time: 2020-03-18T02:09:57.701977100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Process Information: Process ID: 5412 Process Creation Time: 2020-03-18T02:09:57.701977100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5824 Process Creation Time: 2020-03-18T02:09:57.846191300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5824 Process Creation Time: 2020-03-18T02:09:57.846191300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45bec Linked Logon ID: 0x45c43 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Linked Logon ID: 0x45bec Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45bec Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfd0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xffc Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:09:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x6c8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x318 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Logon ID: 0x45c43 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4725: A user account was disabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/16/2020 1:39:01 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x214 New UAC Value: 0x211 User Account Control: %%2080 %%2050 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-ABPHKLO Process Information: Process ID: 0x4b8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:09:58 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19b4 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 103 | 2020-03-18 10:09:59 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 10:10:13 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 12288 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x101a6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x101e8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b10 Linked Logon ID: 0x17b26 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b26 Linked Logon ID: 0x17b10 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b10 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b26 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x208 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x208 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x348 New Process Name: ????????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x388 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 10:10:21 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xffea
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12292 | 2020-03-18 10:10:28 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:10:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf84 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:10:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xfa0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:10:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:10:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-18 10:10:29 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x7a0 Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:10:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:12:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:12:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:12:14 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe94 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:12:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:12:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:12:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:12:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:12:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 10:13:13 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:13:13 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 3832 Process Creation Time: 2020-03-18T02:13:13.379195500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:13:13 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 3832 Process Creation Time: 2020-03-18T02:13:13.379195500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 10:13:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:13:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:13:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:13:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:13:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:13:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:13:14 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2ec Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:13:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:13:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:13:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:14:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x82171 Linked Logon ID: 0x821b3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x821b3 Linked Logon ID: 0x82171 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe Network Information: Workstation Name: DESKTOP-ABPHKLO Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x82171 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-583 Account Domain: Builtin Old Account Name: Device Owners New Account Name: Device Owners Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 12/26/2019 9:35:46 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 12/26/2019 9:35:46 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Account Domain: DESKTOP-UT5JEJD Old Account Name: None New Account Name: None Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4726: A user account was deleted. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Additional Information: Privileges -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/18/2020 10:14:30 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/18/2020 10:14:30 AM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: Device Owners SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4729: A member was removed from a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1000 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xc98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x660 Process Name: C:\Windows\System32\oobe\msoobe.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:14:30 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xc98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12288 | 2020-03-18 10:15:48 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:16:26.116786800Z New Time: 2020-03-18T02:15:48.643618300Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2020-03-18 10:15:48 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:15:48.644818300Z New Time: 2020-03-18T02:15:48.644860100Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12288 | 2020-03-18 10:15:50 | | Microsoft-Windows-Security-Auditing | 4616: The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 0x8b8 Name: C:\Windows\System32\svchost.exe Previous Time: 2020-03-18T02:15:50.949161700Z New Time: 2020-03-18T02:15:50.949418800Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:15:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:15:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 103 | 2020-03-18 10:15:51 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:15:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:15:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:15:56 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-ABPHKLO$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:04 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 10:16:04 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:05 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10647 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c7a Linked Logon ID: 0x17c91 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c91 Linked Logon ID: 0x17c7a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c7a Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c91 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: ????????????????-??6??8????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x340 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 10:16:12 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xff08
|
| | Security | Audit Success | 12292 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:16:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf3c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12292 | 2020-03-18 10:16:17 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:16:17 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf84 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:27 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:16:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:16:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:16:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Success | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Process Information: Process ID: 2156 Process Creation Time: 2020-03-18T02:17:02.538460100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5828 Process Creation Time: 2020-03-18T02:17:02.664745300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 5828 Process Creation Time: 2020-03-18T02:17:02.664745300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6cfc9 Linked Logon ID: 0x6d00b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Linked Logon ID: 0x6cfc9 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6cfc9 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xa20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:03 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1974 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:09 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:10 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:10 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:10 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1430 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:12 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1430 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-32-583 Account Domain: Builtin Old Account Name: Device Owners New Account Name: Device Owners Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Administrator Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x211 New UAC Value: 0x211 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: Guest Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: DefaultAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 27/12/2019 12:35:46 am Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: WDAGUtilityAccount Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 27/12/2019 12:35:46 am Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x11 New UAC Value: 0x11 User Account Control: - User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4781: The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Account Domain: DESKTOP-UT5JEJD Old Account Name: None New Account Name: None Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4735: A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Changed Attributes: SAM Account Name: Device Owners SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:17:14 | | Microsoft-Windows-Security-Auditing | 4737: A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:28 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:28 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:28 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:17:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:17:39 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:17:39 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:18:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:18:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:18:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:18:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:18:06 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1c04 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:43 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6d00b This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:49 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xbf4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 103 | 2020-03-18 10:18:53 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:18:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:07 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:07 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 10:19:07 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:08 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:14 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0xfc8f Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e0 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x111ec Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Linked Logon ID: 0x1745b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Linked Logon ID: 0x17421 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x3dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1a4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f0 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ????????????????-??6??0????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2e0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x330 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2e0 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 10:19:15 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfa7b
|
| | Security | Audit Success | 12292 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:19:16 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Process Information: Process ID: 6004 Process Creation Time: 2020-03-18T02:20:01.613677000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\defaultuser0\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Process Information: Process ID: 6004 Process Creation Time: 2020-03-18T02:20:01.613677000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1888 Process Creation Time: 2020-03-18T02:20:01.741638400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1888 Process Creation Time: 2020-03-18T02:20:01.741638400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x66258 Linked Logon ID: 0x6628d Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Linked Logon ID: 0x66258 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x66258 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:20:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:20:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:20:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:20:32 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd2c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:20:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:21:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:21:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:21:05 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:21:05 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:21:09 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x19dc Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:21:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:21:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:21:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:21:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:21:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:21:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4720: A user account was created. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 New Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: %%2080 %%2082 %%2084 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4722: A user account was enabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: %%1794 Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x14 User Account Control: %%2048 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:22:39 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x14 User Account Control: - User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: redblue Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:22:39 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x14 New UAC Value: 0x214 User Account Control: %%2089 User Parameters: - SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4724: An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4728: A member was added to a security-enabled global group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4732: A member was added to a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: - Expiration time: (null)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:39 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:40 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5afa Linked Logon ID: 0xb5b1f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5b1f Linked Logon ID: 0xb5afa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xb5afa Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:22:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Linked Logon ID: 0xbed70 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed70 Linked Logon ID: 0xbed4b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x758 Process Name: C:\Windows\System32\CloudExperienceHostBroker.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: OOBE Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:22:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {58DE9657-9503-4F21-A501-BC60A1809D7D} Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {58DE9657-9503-4F21-A501-BC60A1809D7D} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\8b6ae9b9e17b93ada91db6d609940064_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:28 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:29 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:29 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2620 Process Creation Time: 2020-03-18T02:22:47.937188200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed70 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:39 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xbed4b Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 4725: A user account was disabled. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 4738: A user account was changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Changed Attributes: SAM Account Name: defaultuser0 Display Name: %%1793 User Principal Name: - Home Directory: %%1793 Home Drive: %%1793 Script Path: %%1793 Profile Path: %%1793 User Workstations: %%1793 Password Last Set: 3/17/2020 7:14:30 PM Account Expires: %%1794 Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x214 New UAC Value: 0x211 User Account Control: %%2080 %%2050 User Parameters: %%1793 SID History: - Logon Hours: %%1797 Additional Information: Privileges: -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:23:46 | | Microsoft-Windows-Security-Auditing | 4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Logon ID: 0x6628d This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-2 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-2 Account Name: UMFD-2 Account Domain: Font Driver Host Logon ID: 0xcf644 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfab3 Linked Logon ID: 0xcfadd Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfadd Linked Logon ID: 0xcfab3 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1b50 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Linked Logon ID: 0xd12cf Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Linked Logon ID: 0xd129b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x111ec Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfab3 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0xcfadd Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:23:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Failure | 12290 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x80090016
|
| | Security | Audit Success | 12290 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Process Information: Process ID: 7044 Process Creation Time: 2020-03-18T02:23:49.342924100Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:23:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1745b Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17421 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:23:59 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x13b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:24:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:24:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:21 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:21 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:21 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:30 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:42 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:42 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:24:42 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:25:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:25:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:25:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:25:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:25:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:25:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:27:08 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:29:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:30:23 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12fc Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:35 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Linked Logon ID: 0x21371e Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x21371e Linked Logon ID: 0x2136f8 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x21371e Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x2136f8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:46 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:32:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1108 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:33:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:33:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:33:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:33:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x22b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:33:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:15 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:34:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:34:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:20 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:23 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:31 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:31 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:31 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:34 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:34 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:34 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:34 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:34:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:34:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:40 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:50 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:55 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:55 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:55 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:34:55 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:35:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:35:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:15 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2158 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:35:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:35:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:17 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:35:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:35:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:22 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:22 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:22 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:22 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:25 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:38 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:39 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:35:44 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2f24 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:35:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:35:52 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2fb4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:36:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:36:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 10:36:37 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:36:37 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:36:38 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:36:38 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:36:38 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:36:38 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:36:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1458 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:36:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:36:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:05 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:05 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:05 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:05 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:05 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-3c92ed63-1b51-4d34-aa1e-3e5c3631e71c Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\446b9976d5ae54f85fc389a9187abfb6_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 10:37:18 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:27 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:32 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:32 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:33 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:37:33 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:33 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:37:33 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 10:38:41 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:38:41 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 10:38:41 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 5180 Process Creation Time: 2020-03-18T02:20:34.048824900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-11dbdd43-036d-4fa1-b716-a3fbe5ec56b6 Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\ca8b8b749c7385d0d0c5ba041080d6ea_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:07 | | Microsoft-Windows-Security-Auditing | 5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event occurs when a user enumerates stored vault credentials.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:07 | | Microsoft-Windows-Security-Auditing | 5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event occurs when a user enumerates stored vault credentials.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:40:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:40:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:50 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:40:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:41:55 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:41:55 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:42:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:42:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x20b0 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:43:00 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1ca4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4726: A user account was deleted. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Target Account: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: defaultuser0 Account Domain: DESKTOP-UT5JEJD Additional Information: Privileges -
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4733: A member was removed from a security-enabled local group. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4729: A member was removed from a security-enabled global group. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Member: Security ID: S-1-5-21-4230960370-218822903-690480705-1001 Account Name: - Group: Security ID: S-1-5-21-4230960370-218822903-690480705-513 Group Name: None Group Domain: DESKTOP-UT5JEJD Additional Information: Privileges: -
|
| | Security | Audit Success | 13826 | 2020-03-18 10:44:24 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd129b Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8a4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:44:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:44:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2be4 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:45:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:45:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Failure | 12544 | 2020-03-18 10:45:27 | | Microsoft-Windows-Security-Auditing | 4625: An account failed to log on. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0xae8 Caller Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xae8 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:45:59 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 10:46:05 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:46:05 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:46:05 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:46:05 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:47:11 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:47:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:47:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:47:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:47:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x48c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_macromed_flash_853cbcf10f17f618.cdf-ms Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_macromed_flash_5ff3bc7496f0271e.cdf-ms Handle ID: 0x48c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\activex.vch Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\Flash.ocx Handle ID: 0x588 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x4d0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x550 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\activex.vch Handle ID: 0x4d8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx Handle ID: 0x544 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.dll Handle ID: 0x550 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Macromed\Flash\FlashUtil_ActiveX.exe Handle ID: 0x4d8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13826 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 10:47:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x292c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x11a0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x11a0 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x5fc Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x11a4 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0x11a4 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0x9e8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x11a8 Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x5fc Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 10:48:05 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0x119c Process Information: Process ID: 0x2a64 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13824 | 2020-03-18 10:48:54 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:48:54 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:48:54 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 10:48:54 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:49:16 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:49:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:50:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:50:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:50:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:50:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:50:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:50:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:50:53 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1f3c Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 10:51:04 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2b94 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:51:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:51:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:52:41 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:53:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:53:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:53:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:53:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:53:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:53:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 10:54:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 10:54:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 10:55:01 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:55:01 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 10:57:45 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x17fc Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 10:58:59 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 10:58:59 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:48 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:02:49 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:04:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:04:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xd12cf This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:05:10 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb20 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x328 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x11d8 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x11d4 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x11d0 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x1194 Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x119c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0xb2c Process Information: Process ID: 0x2078 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_3296b36dbe4c7fa3.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_083d4e330e766c5d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_46321ba736a30085.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_647a02df72a14032.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_fonts_0428e0346460ac4c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_wpf_en-us_0242687c673a608c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_nativeimages_ae465c5139d1dacc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_83386eac0379231b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_c40c7a995ddd757b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_bc1339ef8efa3c4c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_fonts_dc62106d96619a3c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_wpf_en-us_dc5fd125966afabc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_13299f3c208ca635.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_smsvchost_4.0.0.0_0000_1bb3624f8498ff51.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_perf.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordacwks.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscordbi.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\peverify.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceMonikerSupport.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMDiagnostics.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Activities.Presentation.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IdentityModel.Services.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Sockets.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Channels.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Discovery.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Internals.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.WasHosting.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.ApplicationServices.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Extensions.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.DataVisualization.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.Activities.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.ComponentModel.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.Runtime.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xaml.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\webengine4.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\NativeImages\mscorlib.ni.dll Handle ID: 0x68 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC2_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationCore.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework-SystemData.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationNative_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\ReachFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Printing.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClient.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClientsideProviders.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationTypes.dll Handle ID: 0x70 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WindowsBase.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WindowsFormsIntegration.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_perf.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\peverify.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceMonikerSupport.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMDiagnostics.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.Presentation.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.IdentityModel.Services.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Sockets.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Channels.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Discovery.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.Internals.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ServiceModel.WasHosting.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.ApplicationServices.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DataVisualization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Extensions.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.DataVisualization.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Activities.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.Runtime.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xaml.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NativeImages\mscorlib.ni.dll Handle ID: 0x60 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC2_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll Handle ID: 0x70 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationCore.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemData.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHost_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ReachFramework.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClient.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationClientsideProviders.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\UIAutomationTypes.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WindowsBase.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WindowsFormsIntegration.dll Handle ID: 0x7c Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2618 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 103 | 2020-03-18 11:05:14 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:26 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:26 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 11:05:26 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:27 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10095 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d4 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x1068a Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x195b0 Linked Logon ID: 0x1960b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1960b Linked Logon ID: 0x195b0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x374 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x195b0 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x1960b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x27c New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ????????????????-??6??4????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 11:05:34 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfed9
|
| | Security | Audit Success | 12292 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xed4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:05:35 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xef4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:05:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:05:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:06:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:20 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x520 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6880 Process Creation Time: 2020-03-18T03:06:20.907705000Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Process Information: Process ID: 1740 Process Creation Time: 2020-03-18T03:06:46.259601800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Process Information: Process ID: 1740 Process Creation Time: 2020-03-18T03:06:46.259601800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6288 Process Creation Time: 2020-03-18T03:06:46.386464400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6288 Process Creation Time: 2020-03-18T03:06:46.386464400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f11 Linked Logon ID: 0x76f46 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Linked Logon ID: 0x76f11 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f11 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13826 | 2020-03-18 11:06:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x8f4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:06:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:06:47 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7ec Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1524 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:56 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1524 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:06:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:06:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:06:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:01 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:01 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:01 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:01 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2170 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:07:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:06 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:06 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:07:49 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x29b4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:07:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:07:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:08:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:08:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:08:21 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:39 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:39 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:39 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:39 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 12544 | 2020-03-18 11:10:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x31c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:10:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12545 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x76f46 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:10:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xb98 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 103 | 2020-03-18 11:10:56 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:04 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:04 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 11:13:04 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:05 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:10 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0xfed5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x10951 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a2f Linked Logon ID: 0x16a76 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a76 Linked Logon ID: 0x16a2f Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a2f Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x16a76 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x238 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 11:13:11 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xfc5a
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd2c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:13:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xd44 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Process Information: Process ID: 5796 Process Creation Time: 2020-03-18T03:13:13.565600300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Process Information: Process ID: 5796 Process Creation Time: 2020-03-18T03:13:13.565600300Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6256 Process Creation Time: 2020-03-18T03:13:13.707641200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6256 Process Creation Time: 2020-03-18T03:13:13.707641200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x4772a Linked Logon ID: 0x47766 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Linked Logon ID: 0x4772a Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x4772a Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x4a4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:13:13 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x5c8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:13:14 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1ce0 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 7016 Process Creation Time: 2020-03-18T03:13:14.178892600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Linked Logon ID: 0x973ba Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x973ba Linked Logon ID: 0x97335 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x973ba Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x97335 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:20 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:22 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x12b8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:25 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:25 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:13:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:13:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:13:26 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 11:13:31 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24d0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2481 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2459 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:01 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Process Information: Process ID: 9652 Process Creation Time: 2020-03-18T03:13:57.109509700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: SCEPProtocolKey-54a2cb9b-4ab7-420b-814d-7ea496e3e2de Key Type: %%2500 Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\c6c2378a2f65dd6b81349d4b03b7048f_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2457 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:02 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:07 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:07 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:14:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:14:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:41 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:43 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:14:43 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:15:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:15:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:15:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:15:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:15:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:16:51 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x388 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:19:14 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:19:14 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:19:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:19:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:19:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:19:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:20:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:20:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:20:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:20:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:23:34 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:23:34 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:23:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:23:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:23:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:23:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:23:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:23:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:24:02 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x29b4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0xa68 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0xa24 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_advancedinstallers_0c6bb4866bff02f7.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0xa34 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_advancedinstallers_dfe2cf200b391371.cdf-ms Handle ID: 0xa68 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_fc2045b9046cc796.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_version_10.0.18362.710_8deca0bb0619542f.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_sqm_51d9d5f9de5a2fa5.cdf-ms Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_sessions_5591aee9e2456a35.cdf-ms Handle ID: 0x98c Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_packages_46c20bc5f833cc43.cdf-ms Handle ID: 0xa34 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_logs_cbs_10a752bcbbaee88b.cdf-ms Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\poqexec.exe Handle ID: 0x998 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:24:11 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\poqexec.exe Handle ID: 0x9f0 Process Information: Process ID: 0x15fc Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.471_none_5f12f35059003107\TiWorker.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13826 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:24:12 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x3020 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8099 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:13 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:14 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:24:21 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2824 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:24:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:24:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:26:50 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:26:54 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x18f8 Process Name: C:\Windows\explorer.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:27:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1740 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:28:16 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:28:16 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:30:40 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1a88 Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:48 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:48 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:30:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:30:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:32:40 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:32:40 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:35:30 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:35:30 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:35:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:35:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:36:01 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2ae8 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:36:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:36:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:36:49 | | Microsoft-Windows-Security-Auditing | 5381: Vault credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 This event occurs when a user enumerates stored vault credentials.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:36:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:36:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:37:29 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:37:29 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47766 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:37:33 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x69c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\bootmgfw.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\bootmgr.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\EFI\memtest.efi Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\bootmgr Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdd.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ci.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hal.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lsasrv.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntdll.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ntoskrnl.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\offlinelsa.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\securekernel.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\skci.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tcblaunch.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tcbloader.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winload.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winload.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winresume.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winresume.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winresume.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winresume.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\afd.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ahcache.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\clfs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\crashdmp.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgkrnl.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgmms1.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\dxgmms2.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\FWPKCLNT.SYS Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ksecpkg.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\mrxsmb.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\mrxsmb20.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ndis.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ndiswan.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\ntfs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\pdc.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\rdbss.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\refs.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\storport.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\tcpip.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\volsnap.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\winnat.sys Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ntdll.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\_0000000000000000.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_winsxs_installtemp_a7200a27e5239119.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_waas_401032e7a18c2040.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_waas_services_ddfc4ae175ff1678.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_twain_32_209f76caa35c9a77.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_tracing_bca9e27848ac4cc0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_tapi_401030b7a18c2556.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_zh-cn_c63f31ac3bbd74ba.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_zh-cn_79e3012172cd67c3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_b001352a7f7811a4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_provisioning_a90c2174ca14f6c9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_en-us_79e30ca972b850e5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_wbem_1bf25d11bb30b33f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_speech_onecore_voiceactivation_64af56b9bf516892.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_speech_onecore_common_3ac1627a1b848769.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_setup_b8f1f0fc4fb15499.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_recovery_359f81e4d381fca3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_oobe_1bf24c07bb30ce37.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_migration_bdcfa47e8790e0c4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_volume_core_f4caba3f8d1530f8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_oem_core_70db5f046a21e239.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_licenses_neutral_default_core_80ee44699e45274c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_en-us_9e576ab077991fe8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_drivers_193c6528ad70a5e7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_1bf2381fbb30eb13.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_zh-cn_c2fe5b7292c1efd7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_dism_en-us_c5f337028c1b1b59.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_397022e597c7bf30.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_936cc011f8712e92.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_09753eb0ca774ef7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_roaming_3bee7e22f285c764.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_locallow_062ee28842850640.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_syswow64_config_systemprofile_appdata_local_0bd41f8b89ae9a9e.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_0307ca33e1cd9708.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_0b97cbddb6bef8ee.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_6f826ed139dc38ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_b04b2dbada91ba13.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_systemsettings_assets_fonts_e1429b15bb7a603f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsappthreshold_pris_c69f4420e8b9ac96.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_80571585edc0bc10.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_a2baca8046478552.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_assets_5ec4ff00d0d98653.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_systemsettingsthresholdadminflowui_assets_45f5e040701cd097.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.settingsadminflowuithreshold_pris_8eb5d62ebc93ca12.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.printdialog_bd64301dff14d784.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.printdialog_pris_0268448be4f886da.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.pcshell_f32245a82a039128.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.ui.pcshell_peoplepane_assets_1773a8a6e1ab2266.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.systemtoast.calling_40954ac04ff75ba9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_windows.systemtoast.calling_images_ab93f75fc87b1c0d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemresources_microsoft.windows.sechealthui_5bb2238b2acc9da0.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_8cdc4a2b89a0ce24.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_assets_2c72493351d74c03.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.sechealthui_cw5n1h2txyewy_assets_fonts_6ccf17025b49a9e7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cortana_cw5n1h2txyewy_2d6b8920d3f31e0d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.contentdeliverymanager_cw5n1h2txyewy_6369fdd3e5ab0989.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.contentdeliverymanager_cw5n1h2txyewy_images_f48d365ca6bf839f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_e92250ef2519d1f6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_0c3414e5ea9b964c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_608128e0971fe102.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_views_ab3b53e7951674ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_unifiedenrollment_js_c50fa6bbbb7c87b1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_2902e194c40c2d99.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_view_fa144ce8b696a5f6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_templates_js_30c977d57667d018.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_40a8494b26aff035.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_view_878bf08afd4f7608.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_surfacehubdeviceuser_js_b837e3558be51686.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_47e577bfb89f66ff.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_view_ffe5b70b18357b66.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_media_2e29d64a701c210b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_js_2be3c432c2ce3ede.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_scoobe_js_common_5c49fd1a5570d1f3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_d9ae0f7fd2cccc94.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_view_a30cd40228c98533.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusivesspr_js_04768872769d851d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_d9ae09c5d2ccd3fb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_view_9d516b3c2e3e1a84.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_view_templat_72e2a4dd8431fbed.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_media_fff1539a1a4e3fb7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_js_fed525f87d913b20.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_js_common_9b35fdf5c98f69bb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_inclusiveoobe_css_9d5145ddb46283ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_hololensdiagnostics_views_d5eef763b212983a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_hololensdiagnostics_js_8c1a5a20ff89a7b5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_82255765359ba571.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_vi_7e71e645381609fd.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_enterprisengcenrollment_js_c58adfa13ec3cacc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_24a5fefd01d630ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_views_c7398a706c782c0f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_webapps_antitheft_js_08cf6efb11d0da96.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_views_f55d581a0acbb522.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_f55759080d09bc14.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_4009_f24be8641cd5eaeb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_1009_f24be8d01cd5e9f8.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c0c_f24bfc161cd5cc82.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c0a_f24bf84a1cd5d234.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0c09_f24be91a1cd5e8fc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_080a_f24bf8341cd5d297.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0809_f24be9041cd5e95f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0804_f24bdf861cd5f79c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0416_f24be34a1cd5f20f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0411_f24bd9cc1cd6004c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0410_f24bd7e61cd60325.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_040c_f24bfbf81cd5cd09.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0409_f24be8fc1cd5e983.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_speech_0407_f24be5301cd5ef35.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_retaildemo_d6007de2c4449ca2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_pris_4436110b27fc8d08.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_36e69b3b0e7ecf70.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_js_c3e6a46e6987d93b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_microsoft.winjs-reduced_css_1f290cb460a43b49.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_media_f54b539a0b1cc81a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_lib_b0f47f90f3500a51.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_js_91283bc423026fc5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_images_f5434c400d60dd7c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_fonts_f53d61bc0b5bbe04.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_data_4436285d27fc685e.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_data_prod_c85cee3a7af640ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_css_b0f49fc4f34fda43.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_443623ff27fc6f6b.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_view_c303ad0c866a9c46.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_js_2a738435bdbe8f70.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_js_applaunchers_de40849bf361043c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_43d095bdcce4e130.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_pris_4719a634d2c04eec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_f8075bc7ad02362b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_webnotes_febc6b7abccb2874.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_readingview_e64e82231b0e5fce.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_readingview_css_3066d24b0856bea1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_persona_4fd2132d4ad15439.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_offlinetabs_7d551ad6791e5fc2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_offlinetabs_offlinetabs_files_606f2d436ca9f85f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_pinjsapi_85e7afd298d161a3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_pinjsapi_content_bce4d61c88fff4ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_learningtools_25cb263578b00eec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_dcb3be839f31d5cd.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_prefill_578958a487bb2d19.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_document_3a04a7fa7c0c1008.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_hostextensions_autoformfill_content_5091a4e29314f3d6.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_fonts_206f147a74e786c9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_errorpages_73ec08ffb6105e23.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_dictionary_0a4f3c3a52411629.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_contextmenu_6a54d142fb74801d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_990e8d61fcad5c14.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_js_78c5ff49aa9e261b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_bookviewer_css_38b1881b8abcd7a5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_booklibrary_3e904335483f7fff.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedge_8wekyb3d8bbwe_assets_applicationguard_8359e7f74deb583c.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_fc38de406c5c8223.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_pris_f2961b1ae98936c3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.accountscontrol_cw5n1h2txyewy_assets_b23e6d9669ed5578.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_zh-cn_6a8499504900c466.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_zh-cn_028e5dc1cad565fb.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_a349059b05097caa.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_tls_36c96f1eb9feecc5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_provisioning_59992d8d97512395.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netswitchteam_c23a4af35d296eac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netlbfo_dfa61a2ec6bf8e00.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_netconnection_bcd4e6858fe3adb5.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_en-us_028e6949cac04f1d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_071a28c5b510fb6a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_facedriver_1cf62c11bac4d1af.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_winbioplugins_facedriver_amd64_a24e7f3c1523e31d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_06656d9fdf2f8577.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_zh-cn_4260d62eb8680d01.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_wbem_en-us_4555b1beb1c13883.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_unp_06656839d047b419.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_systemresetplatform_14fecc2716acccef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_tokens_skus_coresinglelanguage_c30c5cdb26133062.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_tokens_skus_core_1cc91710e2d99b18.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_store_2.0_774a618ff1521716.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spp_plugin-manifests-signed_d1e9d31c180bebd2.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_spool_prtprocs_x64_bfba530a0f4e6934.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_speech_onecore_voiceactivation_57f72a0344e2d398.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_speech_onecore_common_60bf750299e8ab15.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_setup_5d3758a05cf4a445.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_recovery_f87e94e0816fb86b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_perceptionsimulation_782fb292607e7bbe.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_perceptionsimulation_assets_26be616134e2f347.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_openssh_f142c5dc07dcf27a.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_oobe_06655c95df2fa06f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_networklist_029a48465a9cac56.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_networklist_icons_2b49083c03963dec.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_2650d8d30fee1fe9.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_174c7b92bb7d581f.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_sppmig_61344cc740310c55.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-textservicesframework-migration_55ee7b7ed7f684bc.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-shmig_9ef85dcb89d16c58.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-directoryservices-adam-client_acf5a5eb145af9c7.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_f1386c432966667b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_dlmanifests_microsoft-windows-textservicesframework-migration-dl_549205906affe6bf.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_migration_927a21df1acd7c18.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_logfiles_cloudfiles_4f1ca5d4f4bf5aad.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_volume_core_7d7616e8e51d2f30.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_oem_core_dbf7b420a872a98d.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_licenses_neutral_default_core_743617bc23d69252.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_keywords_eb5d4b4494a589fe.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ja-jp_4c1d2478769bf2f4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ime_shared_5a5b3a5824d8fee4.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_icsxml_1f8f393b196e65ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_fr-fr_448347788202c03b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_fr-ca_448327328202f0a1.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_en-us_429cd25484dc6f94.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_dc1b782427b5ee1b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_drivers_umdf_a531b5dc588477d3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_066548addf2fbd4b.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_zh-cn_035a5f2073af1d51.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_dism_en-us_064f3ab06d0848d3.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_diagsvcs_dd4fddd4aaa5e8ac.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_de-de_40b6416a87b647ef.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_ddfs_06654947df2fbc31.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_1277fa612e559336.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_9dec82772012c8ca.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_92209b51227f4d2f.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_roaming_3488f27ae602299c.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_locallow_ecfb9e22d0b5fdec.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_config_systemprofile_appdata_local_bceee85fd37df118.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_e9af9308cfc26dc2.cdf-ms Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_cipolicies_staged_276d48e6ef8844ae.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_codeintegrity_cipolicies_active_29d3e16aea6e0340.cdf-ms Handle ID: 0x68 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_boot_06654401df2fc50e.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_appraiser_59bebec9f06db09b.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system_4c3aa2308f9f8f41.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system_speech_00e1f005eaf69ef5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_shellexperiences_2912c63bd045ac45.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_fc2045b9046cc796.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_servicing_editions_596ea20ddafb9f7d.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_security_fe3ad40cd6e08c7c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cc9458acec1840ff.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_packages_e07c8f8a91f541c4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_b2feb78251a8a259.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_oem_c5f03ab2bad804ca.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_mo_c5f03b0eb90452f5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_cosa_microsoft_77338a94bd8669dd.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_provisioning_autopilot_705495c13beba2f8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_printdialog_af71281e89102b83.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_prefetch_1688e4e8b2f89473.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_89130cdfc4d9c27c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_zh-cn_382780099447a92c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_policydefinitions_en-us_3b1c5b998da0d4ae.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_rules_0bde462ce96f215e.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_pla_reports_a2604845b2b380ca.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_logs_measuredboot_ab1fadc53c86b337.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_livekernelreports_13126bbee8c1252a.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_l2schemas_d7bb5637381de58c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_installer_0d1280e2e633dc00.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_3f581daba4c8c835.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_a2c41dc1731a4204.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_wsearchidxpi_0000_2e6e3f1caf9fca20.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugthrsvc_9c5b081f28f83f11.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugthrsvc_0000_8451c300df70be5f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugatherer_9f1f9c5b6cd50d98.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_inf_ugatherer_0000_046b5203f9ca3f14.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_1e6ccf0e6a91b570.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_zh-cn_80cdca5e7a4c19a6.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_d76332102e6a9a22.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_view_34ee44a07ef70449.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_systemsettings_assets_6ba5b2461d9725af.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_pris_a05890fcf353f1d8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_images_2e6232377292b2dc.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_immersivecontrolpanel_en-us_83c2a5ee73a54528.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_identitycrl_e7d9c9e97cfb8b01.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_globalization_0fc22903a221b67f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_0600d0deecd2b5a2.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_settings_56f8a3f40ce5a801.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_diagtrack_scenarios_ce5f6e43b7ab3f41.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_containers_serviced_07c9b2b35f82b615.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_40104b85a18bfcb2.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_0f8924c0debe64e4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_pcat_qps-ploc_109d95b40d3e11cb.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_misc_pcat_6b00b12988eafd38.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_efi_0f890f82be247f42.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_de3c4ceb52549e1c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_boot_dvd_efi_en-us_8245c3aed97c0844.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_bcastdvr_fab1ebc0dbf2dacb.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_1143992cbbbebcab.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_zh-cn_31758f6e3c3f408b.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_apppatch_en-us_098dc872781aebb9.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_appcompat_appraiser_33781004733ffeee.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_appcompat_appraiser_telemetry_94274e99519f58a9.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_8c076a3be22985a1.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_videos_20f7329ef941f593.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_pictures_f5e7b0c0fda4db8c.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_music_8c1f3dc399e79184.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_libraries_de6591322faedac0.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_downloads_631cc37cff593fe6.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_documents_70461e22eba239ef.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_public_desktop_2377dac7383055bd.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_73615b64075aa65f.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_videos_4078dfd58aff2cd5.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_saved_games_57aaea1c026aa551.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_pictures_209185c2b71537e4.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_music_4066f7392302d756.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_links_4064ed15230be7d0.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_favorites_d09a481c8ccc2a28.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_downloads_d0a063ac92c2c070.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_documents_a9a4e48ccdf32dcf.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_desktop_39aa59e1159d1203.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_33f0d5f51e505ec2.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_482f0bdd00d1643d.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_b898cfd29d5951f1.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_4793cab2f72cc262.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_templates_9327e87141b4e78f.cdf-ms Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_5eb528778fd8d821.cdf-ms Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_programs_8181428e5873cb4e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_start_menu_programs_accessories_73cb70a3fcd6fd42.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_sendto_cc2b2363b7303311.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_recent_ca449f9bba09f987.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_network_shortcuts_cbcbd4ac7028a985.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_internet_explorer_quick_launch_c0ec1d6b06e5808b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_bc5dd6ae41aaaeeb.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_temp_3274946c96022019.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_3433db0fbe07ab7f.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windowsapps_522fbbfd57c17136.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_9e28651fd972d480.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_inetcookies_706c818672b5499f.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_inetcache_93b6f38324ca2118.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_history_f4337fe0129e212c.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\users_default_appdata_local_microsoft_windows_gameexplorer_5a14824a005868dd.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoshared_logs_user_cc47ba2ac1c4ac78.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoshared_logs_system_1d654048a9eadf5a.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_usoprivate_f18983166baec8e8.cdf-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_ssh_538e540ae643d2cc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_softwaredistribution_ae0bdc9bb1bbdfab.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_fe5c6d762edd2110.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_ef9cc294168a8b97.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_logs_d0133fe6679072ac.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_security_health_health_advisor_caf4bd491726b327.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_cae2264614449191.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_temp_783673b09e921b6b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_reportqueue_9ca35f30fc68b178.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_wer_reportarchive_5449504010b82c41.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_templates_15e72976404301fc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_fde55420546edfe6.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_d672ba09d81e87ff.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_system_tools_fde5decba5bb578b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_startup_b13751030220a596.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_start_menu_programs_administrative_tools_50eba26877c48094.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_packagedeventproviders_c79719361ec06661.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_gameexplorer_eb83b477ca9834cc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_devicemetadatastore_2e1ff34936d2e8e5.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_debc96072b71b0d5.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_install_149a5029c4c64782.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_import_865699c21a2ad5a2.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_genuineticket_d7322dcf4073011e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_clipsvc_archive_f622c70ff2ada08b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_3e49394d38e6ac94.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_packages_711aa2dd7039ca9d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_windows_apprepository_families_5e2e105f8c5e974e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_speech_onecore_587c58cfbeda0062.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_network_downloader_7fafaef6d33e4371.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\programdata_microsoft_crypto_pcpksp_windowsaik_cb9775b914a8e5a2.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86__676bbe2c7241b694.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_e9607c93dd43c2ea.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_network_sharing_f29a3dd721834a7e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_windows_media_player_media_renderer_750773e49fdbfa5b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_x86_internet_explorer_cafab575245eacb0.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_8909e9aceeb80d44.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_mutablebackup_726f6fa1fbd23cbc.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_mutable_4773d03dc650afca.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windowsapps_deleted_382e0caddd5f5e75.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_da4e5f6eb3198de9.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_network_sharing_aed05552f451fd7d.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_media_player_media_renderer_5001a1a5de706f6e.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_3e33901162166ae9.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_zh-cn_a607efc90bb51673.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_windows_defender_en-us_a607fb510b9fff95.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_modifiablewindowsapps_230f2b3b95f10a16.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\program_files_internet_explorer_a421d1bfaf856e2b.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$recycle.bin.cdf-ms Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: ? New Security Descriptor: S:ARAI(AU;SAFA;0x1f0116;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Internet Explorer\iediagcmd.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Internet Explorer\IEShims.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\DefenderCSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\MpEvMsg.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\ProtectionManagement.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files\Windows Defender\zh-CN\MpEvMsg.dll.mui Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Program Files (x86)\Internet Explorer\IEShims.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\explorer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\AcRes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\drvmain.sdb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\sysmain.sdb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\en-US\AcRes.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\apppatch\zh-CN\AcRes.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\bcastdvr\KnownGameList.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\DVD\EFI\en-US\efisys_noprompt.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Boot\PCAT\qps-ploc\bootmgr.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.bin Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettings.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\Telemetry.Common.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\en-US\SystemSettings.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ImmersiveControlPanel\zh-CN\SystemSettings.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\apps.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\printupg.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\sceregvl.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\INF\secrecs.inf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\en-US\TextInput.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\zh-CN\InetRes.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PolicyDefinitions\zh-CN\TextInput.adml Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\PrintDialog\PrintDialog.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Provisioning\Cosa\Microsoft\Microsoft.Windows.Cosa.Desktop.Client.ppkg Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\servicing\TrustedInstaller.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\servicing\Editions\EditionMatrix.xml Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\ClockFlyoutExperience.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\DevicesFlowUI.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\Insights.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\MtcUvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PenWorkspace.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PeopleCommonControls.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\PeoplePane.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\ShellExperiences\ScreenClipping.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AarSvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\acmigration.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ActivationManager.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\aeinv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\agentactivationruntime.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\agentactivationruntimewindows.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\appinfo.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ApplicationControlCSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ApplyTrustOffline.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\appraiser.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppxAllUserStore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXApplicabilityBlob.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentClient.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentExtensions.desktop.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentExtensions.onecore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AppXDeploymentServer.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\asycfilt.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audiodg.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEndpointBuilder.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioEng.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AUDIOKSE.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audioresourceregistrar.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AudioSes.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\audiosrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\autopilot.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\autopilotdiag.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AxInstSv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\AxInstUI.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BarcodeProvisioningPlugin.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BCP47Langs.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\BCP47mrm.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\bindflt.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\bisrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdp.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cdpsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cellulardatacapabilityhandler.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakra.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakradiag.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Chakrathunk.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\clfsw32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ClipSVC.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ClipUp.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cloudAP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\clusapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\combase.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\comctl32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\comdlg32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\compstui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\computecore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ConhostV1.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CPFilters.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\crypt32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\cryptcatsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\CustomInstallExec.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DAFMCP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DafPrintProvider.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\daxexec.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Defrag.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\defragsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceDirectoryClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceMetadataRetrievalClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DevicePairingExperienceMEM.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceReactivation.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DeviceUpdateAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dfrgui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagnosticLogCSP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\diagtrack.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\directml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DispBroker.Desktop.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DMAlertListener.ProxyStub.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dmcmnutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DolbyDecMFT.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dosvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3api.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3msm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dot3svc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth1.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth10.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth11.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth12.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth2.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth3.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth4.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth5.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth6.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth7.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth8.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DrtmAuth9.bin Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DscCore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dssvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dstokenclean.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DTUHandler.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dusmtask.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dwmcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DWWIN.EXE Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\dxgi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EdgeContent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\edgehtml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\edgeIso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EdgeManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditBufferTestHook.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditionUpgradeHelper.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EditionUpgradeManagerObj.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\enterprisecsps.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\EnterpriseDesktopAppMgmtCSP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\enterpriseresourcemanager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\esent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Faultrep.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FaxPrinterInstaller.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fdSSDP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fdWSD.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\findnetprinters.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FntCache.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FrameServer.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FSClient.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\FsIso.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\gdi32full.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GdiPlus.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\globinputhost.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\GraphicsCapture.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HologramCompositor.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HologramWorld.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\HolographicExtensions.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvax64.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvix64.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\hvloader.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Hydrogen.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\icsunattend.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ie4uinit.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iedkcs32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ieframe.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iemigplugin.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ieproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iertutil.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ImplatSetup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IndexedDbLegacy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\inetcpl.cpl Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InputLocaleManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InputService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\InstallServiceTasks.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\invagent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ipnathlp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iprtprio.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\iprtrmgr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ISM.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript9.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jscript9diag.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\jsproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kdhvcom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\kerberos.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KernelBase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\keyiso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\KnobsCsp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LangCleanupSysprepAction.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LanguageComponentsInstaller.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LaunchTM.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LaunchWinApp.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\LicensingWinRT.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\localspl.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\logoncli.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpksetup.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpksetupproxyserv.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\lpremove.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MBMediaManager.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MBR2GPT.EXE Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mcicda.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mciseq.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mciwave.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MCRecvSrc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MDMAppInstaller.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MdmDiagnostics.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mf.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mf3216.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfasfsrcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmp4srcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfmpeg2srcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfplat.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfreadwrite.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsensorgroup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsrcsnk.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mfsvr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Microsoft.Graphics.Display.DisplayEnhancementService.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountCloudAP.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountExtension.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MicrosoftAccountTokenProvider.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mpnotify.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mprdim.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSAProfileNotificationHandler.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msauserext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msctf.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeeds.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeedsbs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msfeedssync.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSFlacDecoder.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MSFlacEncoder.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mshtml.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mshtml.tlb Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msimg32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msimsg.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msIso.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msmpeg2vdec.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msscntrs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssitlb.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssph.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssprxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssrch.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:52 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mssvp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\mstscax.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\msutb.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MUILanguageCleanup.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\musdialoghandlers.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotification.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotificationUx.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusNotifyIcon.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\MusUpdateHandlers.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ncsi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetDriverInstall.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netlogon.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netman.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netprofm.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\netprofmsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetSetupApi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NetSetupEngine.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NFCProvisioningPlugin.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ngcpopkeysrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlaapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlasvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlmproxy.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\nlmsprep.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\notepad.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\NotificationController.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\npmproxy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\odbc32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ole32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oleaut32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\omadmapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\omadmclient.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\OpenWith.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ortcengine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pacjsworker.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pidgenx.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pkeyhelper.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\pnpclean.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\printui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\profsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provdatastore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provengine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provhandlers.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provisioningcsp.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provops.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provpackageapidll.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ProvPluginEng.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ProvSysprep.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\provtool.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\puiapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\puiobj.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\qmgr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rasmans.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpbase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpclip.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpcorets.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpencom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpnano.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpserverbase.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpsharercom.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpudd.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdpviewerax.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rdsdwmdr.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ReAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\recdisc.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\refsutil.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\regapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\remoteaudioendpoint.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\RemovableMediaProvisioningPlugin.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\reseteng.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngine.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngine.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ResetEngOnline.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\resutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rpcrt4.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rstrui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmcodecs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmmvrortc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmpal.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtmpltfm.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\rtutils.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\runexehelper.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\scecli.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdclt.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdengin2.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdrsvc.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sdshext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Search.ProtocolHandler.MAPI2.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchFilterHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchIndexer.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SearchProtocolHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecConfig.efi Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sechost.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthAgent.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthHost.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthProxyStub.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthService.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthSSO.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SecurityHealthSystray.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsEnvironment.Desktop.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_AppExecutionAlias.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_BackgroundApps.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_CapabilityAccess.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_Language.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_Notifications.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_SpeechPrivacy.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SettingsHandlers_StorageSense.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SgrmEnclave_secure.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\shell32.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\slui.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SpatialAudioLicenseSrv.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppcext.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppcomapi.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SppExtComObj.Exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppobjs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppsvc.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sppwinob.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srcore.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SRH.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srms.dat Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\srrstr.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SrTasks.exe Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\StartTileData.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sti.dll Handle ID: 0x80 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sti_ci.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\StructuredQuery.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sxs.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sxstrace.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\sysmain.dll Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SysResetErr.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\systemreset.exe Handle ID: 0x6c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettings.Handlers.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettingsAdminFlows.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemSettingsThresholdAdminFlowUI.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tapisrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Taskmgr.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tbs.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TelephonyInteractiveUser.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TelephonyInteractiveUserRes.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\termsrv.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TetheringMgr.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TextInputFramework.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TextInputMethodFormatter.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tier2punctuations.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TpmCertResources.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\TpmCoreProvisioning.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tquery.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tsgqec.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\tsmf.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinapi.appcore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\twinui.pcshell.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\udhisapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\uDWM.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UIAutomationCore.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UpdateDeploymentProvider.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\upnpcont.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\upnphost.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\uReFS.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\urlmon.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\user32.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UserLanguageProfileCallback.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usoapi.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UsoClient.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usocoreworker.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\usosvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\utcutil.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vbscript.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vdsbas.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\vpnike.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\VPNv2CSP.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicAgent.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicCapsule.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicPS.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WaaSMedicSvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbengine.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wci.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wcmcsp.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wcmsvc.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\webio.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\webplatstorageserver.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WebRuntimeManager.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Websocket.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wer.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werconcpl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wercplsupport.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werdiagcontroller.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\weretw.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WerFault.exe Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WerFaultSecure.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wermgr.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wersvc.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\werui.dll Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiaaut.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiadss.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiarpc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiaservc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wiatrace.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wifinetworkmanager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wifitask.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wimgapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wimserv.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32appinventorycsp.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Win32CompatibilityAppraiserCSP.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32k.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kbase.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32kfull.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32spl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\win32u.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wincorlib.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.ApplicationModel.ConversationalAgent.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Internal.Management.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Internal.Taskbar.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.EnrollmentStatusTracking.ConfigProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.Provisioning.ProxyStub.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Management.Service.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.MediaControl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Protection.PlayReady.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Speech.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Speech.UXRes.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Media.Streaming.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Mirage.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Mirage.Internal.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.Security.Authentication.OnlineId.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\windows.storage.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.System.Launcher.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.AppDefaults.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Core.TextInput.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.FileExplorer.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Immersive.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Windows.UI.Xaml.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsCodecs.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsManagementServiceWinRt.ProxyStub.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\windowsperformancerecordercontrol.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winhttp.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wininet.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Winlangdb.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winlogon.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winmde.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\winspool.drv Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinTypes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WiredNetworkCSP.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlidprov.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlidsvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wlrmdr.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wmp.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WordBreakers.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkFolders.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkfoldersControl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WorkFoldersShell.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\workfolderssvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wow64.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wow64cpu.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpncore.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpnprv.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wpnservice.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsecedit.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmAgent.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WSManHTTPConfig.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WSManMigrationPlugin.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmAuto.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsmplpxy.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsmprovhost.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmRes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmSvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WsmWmiPl.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wsqmcons.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuauclt.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuaueng.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wups2.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wuuhosdeployment.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wwanprotdim.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wwansvc.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\XpsDocumentTargetPrint.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\XpsPrint.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\xpsservices.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winload.efi Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Boot\winload.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\de-DE\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.Packaging.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Proxy.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Runtime.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\DiagSvcs\KernelTraceControl.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\CbsProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\DmiProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\FfuProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\GenericProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\ImagingProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\IntlProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\OfflineSetupProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\OSProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\ProvProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\SmiProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\TransmogProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\UnattendProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\VhdProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\WimProvider.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\en-US\TransmogProvider.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Dism\zh-CN\TransmogProvider.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\Acx01000.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\afunix.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\agilevpn.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\bindflt.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\Classpnp.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\cldflt.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\http.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\hvservice.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\KNetPwrDepBroker.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\NdisImPlatform.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\rdpvideominiport.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\srv2.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\srvnet.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\tbs.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\wcifs.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\wimmount.sys Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\drivers\UMDF\IddCx.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\autopilotdiag.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\clipsvc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\deviceregistration.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\DictationManager.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsreg.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsregcmd.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\dsregtask.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eappgnui.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eapphost.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\eapsvc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\EditionUpgradeManagerObj.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\ieframe.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MitigationClient.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MusNotifyIcon.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\MusUpdateHandlers.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SecurityHealthAgent.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SettingsHandlers_OneDriveBackup.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\SimAuth.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\slui.exe.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\sppcomapi.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\TtlsAuth.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\TtlsCfg.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\UserDeviceRegistration.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\UserDeviceRegistration.Ngc.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\Win32_DeviceGuard.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\en-US\wsecedit.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fr-CA\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\fr-FR\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IME\SHARED\ImeBroker.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\IME\SHARED\ImeBrokerps.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\ja-jp\Windows.Media.Speech.UXRes.dll.mui Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\AppxUpgradeMigrationPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\ClipMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\dafmigplugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\shmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\sppmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\SxsMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migration\WSearchMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\chxmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\imjpmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\imkrmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\TableTextServiceMig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\International-core-replacement.man Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\shmig-replacement.man Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\microsoft-windows-shmig\shmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\migwiz\replacementmanifests\Microsoft-Windows-TextServicesFramework-Migration\msctfmig.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\cmisetup.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\oobe\winsetup.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationInput.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationInput.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\setup\RasMigPlugin.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\sapi_extensions.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\sapi_onecore.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spool\prtprocs\x64\winprint.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\plugin-manifests-signed\sppobjs-spp-plugin-manifest-signed.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\plugin-manifests-signed\sppwinob-spp-plugin-manifest-signed.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-2-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-3-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-DM-4-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-OEM-NONSLP-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-1-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-2-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-3-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-pl-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-phn-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Retail-4-ul-store-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Volume-GVLK-1-ul-oob-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\Core\Core-Volume-GVLK-1-ul-rtm.xrm-ms Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-2-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-3-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-4-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-5-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-DM-6-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-OEM-NONSLP-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-pl-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-phn-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Retail-1-ul-store-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-oob-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\spp\tokens\skus\CoreSingleLanguage\CoreSingleLanguage-Volume-GVLK-1-ul-rtm.xrm-ms Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\SystemResetPlatform\RjvClassicApp.dll Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUX.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUXHost.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UNPUXLauncher.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UpdateNotificationHelpers.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\UNP\UpdateNotificationMgr.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\cimwin32.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\ndisimplatcim.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\wbem\netswitchteamcim.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceBootstrapAdapter.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceFodUninstaller.exe Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\HelloFace.cat Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\HelloFace.inf Handle ID: 0x74 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceDetectorResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceProcessor.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceProcessorCore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapter.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResources_v4.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResourcesCore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionEngineAdapterResourcesSecure.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapter.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterVsm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceRecognitionSensorAdapterVsmSecure.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WinBioPlugIns\FaceDriver\amd64\FaceTrackerInternal.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Provisioning\provpackageapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\autopilotdiag.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\clipsvc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\deviceregistration.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\DictationManager.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsreg.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsregcmd.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\dsregtask.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eappgnui.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eapphost.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\eapsvc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\EditionUpgradeManagerObj.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\ieframe.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MitigationClient.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MusNotifyIcon.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\MusUpdateHandlers.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SecurityHealthAgent.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SettingsHandlers_OneDriveBackup.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\SimAuth.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\slui.exe.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\sppcomapi.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\TtlsAuth.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\TtlsCfg.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\UserDeviceRegistration.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\UserDeviceRegistration.Ngc.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\Win32_DeviceGuard.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\System32\zh-CN\wsecedit.dll.mui Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlUI.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Cortana.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eData.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eView.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\NewTabPageHost.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AntiTheft.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudDomainJoin.DataModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\cloudexperiencehostapi.provisioning.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostAPI.SyncSettings.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostAPI.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Account.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Cortana.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.Hello.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.LocalNgc.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.RetailDemo.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\CloudExperienceHostBroker.SyncEngine.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\ContentManagement.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\enterprisedevicemanagement.enrollment.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\enterprisedevicemanagement.service.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Family.Cache.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.CloudExperienceHost.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.CloudExperienceHost.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.resourceaccountmanager.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.Extension.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.TokenProvider.Core.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.TokenProvider.Core.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\MicrosoftAccount.UserOperations.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo.Internal.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\SystemSettings.DataModel.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\UnifiedEnrollment.DataModel.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\userdeviceregistration.ngc.winmd Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\data\prod\navigation-scoobe.json Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\unifiedEnrollment.js Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobelocalaccount-vm.js Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobelocalaccount-main.html Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentDeliveryManager.Background.dll Handle ID: 0x8c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionUriServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingConfigurationClient.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingLocalSearchService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CGSVCBackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ContactPermissionsActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ContactPermissionsProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.AppToApp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ContactPermissions.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.DoNotDisturb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.IntentExtraction.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Internal.Search.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.LocalSearch.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.ObjectModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Places.ViewModels.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Reminders.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Search.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Signals.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SmartExtraction.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Sync.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Sync.Worker.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Tips.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.CppWinrt.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaCoreProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSignalsManagerProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSignalsProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSpeechux.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSpeechUXRes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaSyncProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DNDActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\DoNotDisturbProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\JsonReader.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.bing.client.graph.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\OnlineServices.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PhonePCVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesAutoSuggestProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PlacesServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\PPIVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReactiveAgentsCommon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ReminderActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersShareTargetApp.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesActionUriHandler.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesBackgroundTasks.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RulesServiceProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SAPIBackgroundTask.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SharedVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ShellActionUriHandlers.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SignalsManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\TextEntityExtractorProxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\tws.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VadSharedVoiceAgents.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\VoiceAgentsCommon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\resources.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIAppShell.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.winmd Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Chakra.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\comdlg32.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\compstui.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\crypt32.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\dwmcore.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\edgehtml.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\ieframe.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\LaunchTM.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\msctf.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mshtml.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mssvp.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\mstscax.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\msutb.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\notepad.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\SearchIndexer.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\shell32.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\sppcomapi.dll.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Taskmgr.exe.mun Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\tquery.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\twinui.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.Immersive.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Winlangdb.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\wsecedit.dll.mun Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\Microsoft.Windows.SecHealthUI.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\Windows.UI.SettingsAppThreshold.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\pris\Windows.UI.SettingsAppThreshold.en-US.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\pris\Windows.UI.SettingsAppThreshold.zh-CN.pri Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\Fonts\SetMDL2.ttf Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ActivationManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AppxAllUserStore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AppXDeploymentClient.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\asycfilt.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AudioEng.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AUDIOKSE.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\AudioSes.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\BCP47Langs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\BCP47mrm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\cdp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakra.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakradiag.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Chakrathunk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\clfsw32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\clusapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\combase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\comctl32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\comdlg32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\compstui.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\CPFilters.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\crypt32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DafPrintProvider.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\daxexec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DeviceReactivation.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dfrgui.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\directml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DMAlertListener.ProxyStub.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dmcmnutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DolbyDecMFT.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dot3api.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dot3msm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\DWWIN.EXE Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\dxgi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\edgehtml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\edgeIso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EdgeManager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EditionUpgradeHelper.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\EditionUpgradeManagerObj.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\enterpriseresourcemanager.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\esent.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\explorer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Faultrep.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\fdSSDP.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\fdWSD.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\findnetprinters.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\gdi32full.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GdiPlus.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\globinputhost.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\GraphicsCapture.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iedkcs32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ieframe.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iemigplugin.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ieproxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iertutil.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\IndexedDbLegacy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\inetcpl.cpl Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallService.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\InstallServiceTasks.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iprtprio.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\iprtrmgr.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript9.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jscript9diag.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\jsproxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\kerberos.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\KernelBase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\keyiso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LaunchTM.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LaunchWinApp.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\LicensingWinRT.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\logoncli.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mcicda.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mciseq.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mciwave.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MCRecvSrc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mf3216.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfasfsrcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmp4srcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfmpeg2srcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfplat.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfreadwrite.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfsrcsnk.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mfsvr.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MicrosoftAccountTokenProvider.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mprdim.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msauserext.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msctf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeeds.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeedsbs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msfeedssync.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSFlacDecoder.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\MSFlacEncoder.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mshtml.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mshtml.tlb Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msimg32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msimsg.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msIso.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msmpeg2vdec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msscntrs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssitlb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssph.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssprxy.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssrch.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mssvp.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\mstscax.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\msutb.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetDriverInstall.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\netlogon.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetSetupApi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\NetSetupEngine.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\notepad.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\odbc32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ole32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\oleaut32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\omadmapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\OpenWith.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ortcengine.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\printui.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\profapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\profext.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\puiapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\puiobj.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpbase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpencom.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpserverbase.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpsharercom.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rdpviewerax.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\ReAgent.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\regapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\remoteaudioendpoint.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\resutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rpcrt4.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmcodecs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmmvrortc.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmpal.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtmpltfm.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\rtutils.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\scecli.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Search.ProtocolHandler.MAPI2.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchFilterHost.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchIndexer.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SearchProtocolHost.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sechost.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\shell32.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sppcomapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sti.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\StructuredQuery.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sxs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\sxstrace.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tapisrv.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Taskmgr.exe Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tbs.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\TpmCertResources.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\TpmCoreProvisioning.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tquery.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tsgqec.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\tsmf.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinapi.appcore.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinapi.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\twinui.dll Handle ID: 0x60 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\udhisapi.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\UIAutomationCore.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\upnpcont.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\upnphost.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\uReFS.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\urlmon.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\user32.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\UserLanguageProfileCallback.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\usoapi.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\vbscript.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\webio.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\webplatstorageserver.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Websocket.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wer.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\werdiagcontroller.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\weretw.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WerFault.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WerFaultSecure.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wermgr.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\werui.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiaaut.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiadss.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wiatrace.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wimgapi.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32k.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32kfull.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\win32u.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wincorlib.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Internal.Management.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.MediaControl.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Speech.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Media.Streaming.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Mirage.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Mirage.Internal.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.Security.Authentication.OnlineId.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\windows.storage.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.System.Launcher.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.FileExplorer.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Windows.UI.Immersive.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsCodecs.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\windowsperformancerecordercontrol.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\winhttp.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wininet.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Winlangdb.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\winspool.drv Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WinTypes.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wlidprov.dll Handle ID: 0x78 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wmp.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsecedit.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmAgent.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WSManHTTPConfig.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WSManMigrationPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmAuto.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsmplpxy.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\wsmprovhost.exe Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmRes.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmSvc.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WsmWmiPl.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\XpsDocumentTargetPrint.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\XpsPrint.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\CbsProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\DmiProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\FfuProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\GenericProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\ImagingProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\IntlProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\OfflineSetupProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\OSProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\ProvProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\SmiProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\TransmogProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\UnattendProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\VhdProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Dism\WimProvider.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\drivers\afunix.sys Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\msctfmig.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\shmig.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\SxsMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\migration\WSearchMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\oobe\cmisetup.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\setup\RasMigPlugin.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Speech_OneCore\Common\sapi_onecore.dll Handle ID: 0x7c Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\provpackageapi.dll Handle ID: 0x84 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\twain_32\wiatwain.ds Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\2213703c9c64cc61ba900531652e23c84728d2a2.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 13568 | 2020-03-18 11:37:53 | | Microsoft-Windows-Security-Auditing | 4907: Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WaaS\services\ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml Handle ID: 0x70 Process Information: Process ID: 0x18b8 Process Name: C:\Windows\System32\poqexec.exe Auditing Settings: Original Security Descriptor: S:AINO_ACCESS_CONTROL New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
|
| | Security | Audit Success | 103 | 2020-03-18 11:38:01 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:15 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:15 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b4 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 11:38:15 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:16 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d0 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:16 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:21 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x284 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x10770 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107b8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b53 Linked Logon ID: 0x17b93 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b93 Linked Logon ID: 0x17b53 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x37c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b53 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17b93 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d4 New Process Name: ??????????????-??6??4????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b4 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2dc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2dc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 11:38:22 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10448
|
| | Security | Audit Success | 12292 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12292 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe74 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:38:23 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:38:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:38:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Process Information: Process ID: 496 Process Creation Time: 2020-03-18T03:39:18.532536500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Process Information: Process ID: 496 Process Creation Time: 2020-03-18T03:39:18.532536500Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6428 Process Creation Time: 2020-03-18T03:39:18.715965900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6428 Process Creation Time: 2020-03-18T03:39:18.715965900Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f668 Linked Logon ID: 0x8f6aa Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Linked Logon ID: 0x8f668 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f668 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x510 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:39:18 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x7f0 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:39:20 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1f94 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:28 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 2508 Process Creation Time: 2020-03-18T03:39:19.236545400Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Linked Logon ID: 0xfba8c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba8c Linked Logon ID: 0xfba67 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba8c Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0xfba67 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:31 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:32 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:33 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:34 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:41 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1450 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:39:44 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x26d8 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:39:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:39:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:11 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:11 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:20 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:20 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:23 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:23 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:40:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:40:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:40:27 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x17fc Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:40:38 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:40:38 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: DefaultAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:40:38 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Guest Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:40:38 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: WDAGUtilityAccount Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:40:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x28f4 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:41:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:41:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:41:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:41:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:41:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:41:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:42:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:42:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:45:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:45:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:45:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:45:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:45:17 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:45:17 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e38 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:45:36 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:46:46 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x384 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:50:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:50:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:51:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:51:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:52:04 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:53:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1d60 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:54:19 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:54:19 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:22 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:22 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x8f6aa This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:56:26 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xa10 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:28 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x290c Process Name: C:\Windows\System32\VSSVC.exe
|
| | Security | Audit Success | 103 | 2020-03-18 11:56:29 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:43 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:43 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1dc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 11:56:43 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:44 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x106a6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2d8 Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x106f8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x280 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d0 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x320 New Process Name: ????????????????-??6??8????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x328 New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2d8 Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 11:56:49 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x10348
|
| | Security | Audit Success | 12292 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c4b Linked Logon ID: 0x17c8c Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c8c Linked Logon ID: 0x17c4b Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x378 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c4b Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x17c8c Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:50 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12292 | 2020-03-18 11:56:51 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe30 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:56:51 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xecc Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:56:53 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:56:53 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 103 | 2020-03-18 11:57:36 | | Microsoft-Windows-Eventlog | 1100: The event logging service has shut down.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x78 New Process Name: ????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:49 | | Microsoft-Windows-Security-Auditing | 4696: A primary token was assigned to process. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Process Information: Process ID: 0x4 Process Name: ? Target Process: Target Process ID: 0x78 Target Process Name: Registry New Token Information: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x3e7
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:49 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b0 New Process Name: ??????????????-??6?4????0--?0??????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: ??????? Process Command Line: ????0--?0??????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13573 | 2020-03-18 11:57:49 | | Microsoft-Windows-Security-Auditing | 4826: Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 General Settings: Load Options: - Advanced Options: %%1843 Configuration Access Policy: %%1846 System Event Logging: %%1843 Kernel Debugging: %%1843 VSM Launch Type: %%1848 Signature Settings: Test Signing: %%1843 Flight Signing: %%1843 Disable Integrity Checks: %%1843 HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: %%1848 HyperVisor Debugging: %%1843
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:50 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4 New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:50 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x240 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:55 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x274 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 12288 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4608: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
|
| | Security | Audit Success | 12292 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 5033: The Windows Firewall Driver started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: ? Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-0 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-0 Account Name: UMFD-0 Account Domain: Font Driver Host Logon ID: 0x104a2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2cc Process Name: C:\Windows\System32\wininit.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-1 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107e3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Linked Logon ID: 0x18408 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Linked Logon ID: 0x183b5 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x36c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2c4 New Process Name: ??????????????-??6??0????0--?0????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1b0 Creator Process Name: ????????????????????4? Process Command Line: ????0--?0????????????????????4? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2cc New Process Name: ???????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x240 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2d8 New Process Name: ??????????????e??? ????????? ???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2c4 Creator Process Name: ????????????????????4 Process Command Line: ????0--?0????????????????????4 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x314 New Process Name: ????????????????-??6??c????0--?0???????????????e?????? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13312 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4688: A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3e7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x31c New Process Name: ??????????????e??? ????????? ???????????????????????4? Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2cc Creator Process Name: ???????????????e?????? Process Command Line: ????0--?0???????????????e?????? Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
|
| | Security | Audit Success | 13568 | 2020-03-18 11:57:56 | | Microsoft-Windows-Security-Auditing | 4902: The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x102ae
|
| | Security | Audit Success | 12292 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 5024: The Windows Firewall service started successfully.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xe48 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 11:57:57 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf44 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:00 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:00 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:42 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x504 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12290 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12290 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 6856 Process Creation Time: 2020-03-18T03:58:42.397918200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: {9958B427-41A6-494A-83E0-B395A2CFCE0B} Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\e616b71df416cc5b9b621e575917310d_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Process Information: Process ID: 2216 Process Creation Time: 2020-03-18T03:58:45.384541600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Process Information: Process ID: 2216 Process Creation Time: 2020-03-18T03:58:45.384541600Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1688 Process Creation Time: 2020-03-18T03:58:45.528329800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Process Information: Process ID: 1688 Process Creation Time: 2020-03-18T03:58:45.528329800Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5dec7 Linked Logon ID: 0x5defe Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Linked Logon ID: 0x5dec7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5dec7 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13826 | 2020-03-18 11:58:45 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:46 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:46 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:58:46 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1d18 Process Name: C:\Windows\System32\SearchIndexer.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:55 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x14f8 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:57 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:57 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:58 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:58:59 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:00 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:02 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:02 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 11:59:06 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x2970 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:09 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:10 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:10 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:13 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:13 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:15 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:15 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 11:59:15 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x2c4c Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:47 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:47 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 11:59:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 11:59:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 12:00:42 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:00:42 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 12:00:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:00:43 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:00:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 12:00:43 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 12:04:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:04:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 12:05:34 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x978 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 12:09:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:09:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 12:13:45 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:13:45 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12544 | 2020-03-18 12:14:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:14:52 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:14:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 12:14:52 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 12:14:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25b8 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 12:14:54 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:14:54 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 12:14:56 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x24f4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Linked Logon ID: 0x443d61 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d61 Linked Logon ID: 0x443d39 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d61 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x443d39 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:03 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: UMFD-2 Account Domain: Font Driver Host Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-96-0-2 Account Name: UMFD-2 Account Domain: Font Driver Host Logon ID: 0x449c91 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-2 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b081 Linked Logon ID: 0x44b0bb Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1842 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b0bb Linked Logon ID: 0x44b081 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1d64 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b081 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege
|
| | Security | Audit Success | 12548 | 2020-03-18 12:15:08 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-2 Account Name: DWM-2 Account Domain: Window Manager Logon ID: 0x44b0bb Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4647: User initiated logoff: Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x5defe This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:09 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:10 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-96-0-1 Account Name: UMFD-1 Account Domain: Font Driver Host Logon ID: 0x107e3 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:11 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x18408 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 12:15:11 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x183b5 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 12:15:11 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 12:15:12 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 12:15:12 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 12290 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 5061: Cryptographic operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Cryptographic Operation: Operation: %%2480 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 5058: Key file operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Process Information: Process ID: 8476 Process Creation Time: 2020-03-18T05:10:37.581408700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Key File Operation Information: File Path: C:\Users\redblue\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_7fbcc963-8e43-4455-80cd-825694131a80 Operation: %%2458 Return Code: 0x0
|
| | Security | Audit Success | 12292 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 5059: Key migration operation. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Process Information: Process ID: 8476 Process Creation Time: 2020-03-18T05:10:37.581408700Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: %%2500 Additional Information: Operation: %%2464 Return Code: 0x0
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Linked Logon ID: 0x466656 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Linked Logon ID: 0x466632 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13826 | 2020-03-18 13:10:37 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x830 Process Name: C:\Windows\System32\svchost.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4648: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: 127.0.0.1 Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Linked Logon ID: 0x47a094 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1843 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a094 Linked Logon ID: 0x47a038 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xad4 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: DESKTOP-UT5JEJD Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12545 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a094 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12545 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4634: An account was logged off. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
|
| | Security | Audit Success | 12548 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x47a038 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x28b4 Process Name: C:\Windows\System32\LogonUI.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:38 | | Microsoft-Windows-Security-Auditing | 5382: Vault credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 This event occurs when a user reads a stored vault credential.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:47 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1e50 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:51 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4797: An attempt was made to query the existence of a blank password for an account. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Additional Information: Caller Workstation: DESKTOP-UT5JEJD Target Account Name: Administrator Target Account Domain: DESKTOP-UT5JEJD
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:52 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1654 Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:10:53 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 12544 | 2020-03-18 13:10:56 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 13:10:56 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 13:11:09 | | Microsoft-Windows-Security-Auditing | 5379: Credential Manager credentials were read. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 Read Operation: %%8100 This event occurs when a user performs a read operation on stored credentials in Credential Manager.
|
| | Security | Audit Success | 13824 | 2020-03-18 13:11:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466656 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1810 Process Name: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
|
| | Security | Audit Success | 12544 | 2020-03-18 13:12:27 | | Microsoft-Windows-Security-Auditing | 4624: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: %%1843 Elevated Token: %%1842 Impersonation Level: %%1833 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x314 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
|
| | Security | Audit Success | 12548 | 2020-03-18 13:12:27 | | Microsoft-Windows-Security-Auditing | 4672: Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
|
| | Security | Audit Success | 13824 | 2020-03-18 13:16:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:16:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:16:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:16:04 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: DESKTOP-UT5JEJD$ Account Domain: WORKGROUP Logon ID: 0x3e7 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x25f0 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:27 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:29 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:27:29 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:27:31 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-500 Account Name: Administrator Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-501 Account Name: Guest Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-503 Account Name: DefaultAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-504 Account Name: WDAGUtilityAccount Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13824 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4798: A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 User: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-583 Group Name: Device Owners Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | Security | Audit Success | 13826 | 2020-03-18 13:30:05 | | Microsoft-Windows-Security-Auditing | 4799: A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-4230960370-218822903-690480705-1002 Account Name: redblue Account Domain: DESKTOP-UT5JEJD Logon ID: 0x466632 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Process Information: Process ID: 0x1bcc Process Name: C:\Users\redblue\Desktop\AIDA64Portable-6.20.5353\App\AIDA64Extreme\aida64.exe
|
| | System | Warning | 212 | 2020-03-18 10:09:46 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 10:09:46 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Error | None | 2020-03-18 10:09:56 | | EventLog | 6008: The previous system shutdown at 1:38:53 AM on ?3/?16/?2020 was unexpected.
|
| | System | Warning | None | 2020-03-18 10:09:57 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:09:57 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2020-03-18 10:09:58 | 1332 | DCOM | 10010: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
|
| | System | Warning | None | 2020-03-18 10:09:59 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | None | 2020-03-18 10:09:59 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10004: WLAN Extensibility Module has timed out. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | None | 2020-03-18 10:09:59 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10004: WLAN Extensibility Module has timed out. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Error | None | 2020-03-18 10:10:00 | | Service Control Manager | 7023: The LanmanServer service terminated with the following error: %%1115
|
| | System | Warning | 212 | 2020-03-18 10:10:13 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 10:10:14 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 10:10:30 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2020-03-18 10:10:32 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Error | None | 2020-03-18 10:11:12 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 10:11:12 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | 7 | 2020-03-18 10:11:25 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 10:15:20 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2020-03-18 10:15:52 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | 212 | 2020-03-18 10:16:04 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 10:16:04 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 10:16:14 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2020-03-18 10:16:15 | LOCAL SERVICE | Microsoft-Windows-Time-Service | 134: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
|
| | System | Warning | None | 2020-03-18 10:16:31 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Error | None | 2020-03-18 10:17:01 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 10:17:01 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | None | 2020-03-18 10:17:02 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:17:02 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 1014 | 2020-03-18 10:17:04 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name settings-win.data.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | 7 | 2020-03-18 10:17:15 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Error | None | 2020-03-18 10:18:49 | | Service Control Manager | 7023: The Windows Modules Installer service terminated with the following error: %%16389
|
| | System | Error | None | 2020-03-18 10:18:51 | SYSTEM | DCOM | 10005: DCOM got error "1115" attempting to start the service TrustedInstaller with arguments "Unavailable" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}
|
| | System | Warning | None | 2020-03-18 10:18:54 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | 212 | 2020-03-18 10:19:07 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 10:19:07 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Error | None | 2020-03-18 10:20:01 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 10:20:01 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | None | 2020-03-18 10:20:01 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:20:01 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 7 | 2020-03-18 10:20:18 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 10:23:49 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:23:49 | LOCAL SERVICE | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:25:57 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:34:17 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Error | None | 2020-03-18 10:34:34 | redblue | DCOM | 10010: The server Microsoft.XboxGamingOverlay_2.26.14003.0_x64__8wekyb3d8bbwe!App.AppXrfdt3p0f38tc4nxz7ajrd5as6ctb0dck.mca did not register with DCOM within the required timeout.
|
| | System | Warning | 1014 | 2020-03-18 10:34:59 | NETWORK SERVICE | Microsoft-Windows-DNS-Client | 1014: Name resolution for the name ris.api.iris.microsoft.com timed out after none of the configured DNS servers responded.
|
| | System | Warning | None | 2020-03-18 10:44:47 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:48:04 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:52:31 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:55:41 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 10:57:05 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:05:15 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | 212 | 2020-03-18 11:05:26 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 11:05:26 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Error | None | 2020-03-18 11:06:20 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 11:06:20 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | 7 | 2020-03-18 11:06:38 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 11:06:59 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:07:06 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:07:41 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:08:07 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Warning | None | 2020-03-18 11:08:22 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:08:22 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:08:22 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:10:57 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | 212 | 2020-03-18 11:13:04 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 11:13:04 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 11:13:17 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Warning | None | 2020-03-18 11:13:27 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | None | 2020-03-18 11:13:57 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 11:13:57 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | None | 2020-03-18 11:14:01 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 7 | 2020-03-18 11:14:15 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 11:15:58 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:15:58 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:15:58 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:16:11 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:20:51 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:27:12 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:30:52 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelWifiIhv08.dll
|
| | System | Warning | None | 2020-03-18 11:31:02 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Warning | None | 2020-03-18 11:36:49 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:38:02 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
|
| | System | Warning | 212 | 2020-03-18 11:38:15 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 11:38:16 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 11:38:28 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Error | None | 2020-03-18 11:39:08 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 11:39:08 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | 7 | 2020-03-18 11:39:27 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 11:39:35 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:40:12 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:41:10 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:41:10 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:41:10 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:46:06 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:52:12 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:52:15 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:52:47 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:55:28 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 11:56:30 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
|
| | System | Warning | 212 | 2020-03-18 11:56:43 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 11:56:44 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 11:56:55 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Error | None | 2020-03-18 11:57:35 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 11:57:35 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | None | 2020-03-18 11:57:36 | SYSTEM | Microsoft-Windows-WLAN-AutoConfig | 10002: WLAN Extensibility Module has stopped. Module Path: C:\Windows\system32\IntelIHVRouter08.dll
|
| | System | Warning | 212 | 2020-03-18 11:57:49 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device PCI\VEN_8086&DEV_8A03&SUBSYS_03611854&REV_03\3&11583659&0&20.
|
| | System | Warning | 212 | 2020-03-18 11:57:50 | SYSTEM | Microsoft-Windows-Kernel-PnP | 219: The driver \Driver\WudfRd failed to load for the device ACPI\GXFP5A8B\4&33f16e05&0.
|
| | System | Warning | None | 2020-03-18 11:58:01 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Error | None | 2020-03-18 11:58:42 | | Service Control Manager | 7009: A timeout was reached (45000 milliseconds) while waiting for the SynaAssist service to connect.
|
| | System | Error | None | 2020-03-18 11:58:42 | | Service Control Manager | 7000: The SynaAssist service failed to start due to the following error: %%1053
|
| | System | Warning | None | 2020-03-18 11:59:01 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | 7 | 2020-03-18 11:59:01 | SYSTEM | Microsoft-Windows-Kernel-Processor-Power | 37: The speed of Hyper-V logical processor 7 is being limited by system firmware. The processor has been in this reduced performance state for 71 seconds since the last report.
|
| | System | Warning | None | 2020-03-18 11:59:02 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 12:00:44 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 12:00:44 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.SecurityAppBroker and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 12:00:44 | SYSTEM | DCOM | 10016: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 12:04:54 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Error | 2 | 2020-03-18 13:10:37 | | Microsoft-Windows-NDIS | 10317: Miniport Microsoft Wi-Fi Direct Virtual Adapter #2, {16d1bd60-e7f5-4fd4-b8f2-eeec0cc58a2e}, had event 74
|
| | System | Warning | None | 2020-03-18 13:10:47 | redblue | DCOM | 10016: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
|
| | System | Warning | None | 2020-03-18 13:10:52 | | Netwtw08 | 6062: 6062 - Lso was triggered
|
| | System | Warning | None | 2020-03-18 13:10:58 | redblue | DCOM | 10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user DESKTOP-UT5JEJD\redblue SID (S-1-5-21-4230960370-218822903-690480705-1002) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708). This security permission can be modified using the Component Services administrative tool.
|